Detecting Man-in-the-Middle Attacks
An internal Man-in-the-Middle (MITM ) attack is where attackers insert themselves into the communications path on a network segment to intercept packets from hosts on the network and respond to them either directly or relay the communications after modifying their content. MITM attacks are used by attackers primarily for intercepting network traffic from hosts as well as credential harvesting and information stealing
A MITM attack typically exploits the inherent lack of security in some of the broadcast/multicast protocols at L2/L3 to launch the attack. The difficulty in detection MITM attacks is that the sensor or detector must be on the same subnet or VLAN as the system conducting the attack activity since it is passive in nature. Deception technology is ideally suited for detecting such attacks.
Some of the more prevalent MITM attacks are explained below.
NBNS/LLMNR/mDNS Spoofing Attack
NetBIOS Name Services (NBNS), Link-Local Multicast Name Resolution (LLMNR) & multicast Domain Name Services (mDNS) are protocols used to conduct name resolution of resources within a network as a fallback mechanism when regular DNS name resolution fails. They operate only within a broadcast domain, meaning they can only resolve domain names within a subnet. While Windows uses NBNS and LLMNR for name resolution, OSX uses mDNS. All these protocols use UDP for name resolution.
An attacker can easily impersonate servers by sending spoofed responses to the hosts querying for services using name resolution requests. Web Proxy Auto-Discovery (WPAD) poisoning and SMB relay attacks are some of the popular attacks that use MITM for credential harvesting
WPAD Poisoning Attack
WPAD is a mechanism used by Windows to auto-discover proxy settings. On an enterprise network, a DNS entry for “WPAD” should point to a proxy server that hosts a “wpad.dat” file. Internet Explorer has a default configuration to auto-discover the proxy settings by looking for a WPAD server. If the DNS lookup for WPAD fails, the client resorts to NBNS/LLMNR to resolve WPAD. When an attacker system on the same broadcast domain sees a request for WPAD, it can send a spoofed response and force all HTTP traffic to pass through it. An attacker can also force authentication when a client tries to fetch the WPAD.dat file to capture the credentials.
Here is an illustration that describes how an attacker performs WPAD poisoning.
SMB Relay Attack
An SMB relay attack relies on Microsoft NT LAN Manager (NTLM) v2 authentication that is typically used in corporate networks. NTLM uses a challenge/response protocol for authentication. When a client attempts to connect to a server, the server sends a challenge message to the client requesting it to encrypt the challenge with its password hash. The server then decrypts the response using the client’s password hash to validate the challenge message sent. If it is successful, the server authenticates the client. This method of authentication is prone to relay attack, which attackers use to steal credentials for critical servers.
Here is an illustration of how an attacker performs an SMB relay attack
The other attack vector that uses an SMB relay attack is by exploiting automated patch and policy server mechanisms. Corporate networks have management practices that include automated patch updates, policy updates, etc., from dedicated systems using service/administrative accounts. Since these operations execute on every host on the network, they will run on systems infected by an attacker. When one of these automated systems connects to the attacker-controlled system, the attacker relays the authentication attempt to a target server. The target server generates a challenge and sends it back to the attacker. The attacker sends the challenge back to the automated policy management system. The policy management system encrypts the hash with the correct password hash and sends it to the attacker. The attacker passes the correctly encrypted response back to his target, which successfully authenticate it.
ARP Poisoning Attack
Address Resolution Protocol (ARP) poisoning is another common technique used by attackers to conduct MITM attacks on unicast protocols. In an ARP poison attack, the attacker system responds to ARP requests for the default gateway with its MAC address. This poisons the ARP cache on endpoint hosts, which sends packets to the attacker instead of the proper gateway. With this, the attacker gains complete control of network connections from endpoints. An attacker system can also take over connection requests by responding to DNS requests with its IP or with the IP of another end host that the attacker controls.
Apart from responding to ARP requests, an attacker system can send spoofed gratuitous ARP request packets indicating that the gateway MAC address has been changed to its MAC address. Endpoint hosts that have an entry for the default gateway update their ARP table with the attacker system’s MAC address for the default gateway, causing all network traffic to go to the attacker.
Here is an illustration of how an ARP Poison attack works.
MITM attack using Rogue DHCP Server
By deploying a rogue DHCP server in the network, an attacker can control almost the entire network. Attackers can configure the rogue DHCP server with their system as both the default gateway and the DNS server. The attacker forces all traffic from endpoint hosts that obtain IP addresses from the rogue DHCP server to pass through the attacker system and to use the attacker IP for name resolution.
Here is an illustration of how an attacker launches a MITM attack using a rogue DHCP server.
How to launch MITM attacks
“Responder” is a popular application that penetration testers and attackers use to conduct NBNS/LLMNR spoofing, WPAD Poisoning, and SMB relay attacks. It is a simple python-based tool that runs on any operating system. It is quite simple to harvest user credentials on the network Using this tool.
Imagine a user mistyping a non-existent domain name in the browser. The browser would first attempt to resolve the domain name using DNS. Since it is a non-existent domain, DNS resolution would fail, and the system would fall back to NBNS to resolve the domain name. When the attacker system sees an NBNS request is seen for a domain name, it responds to the requestor by giving its IP address for the non-existent domain.
In the illustration below, a user has typed a domain name “jugnusinha,” and the Responder system has answered the NBNS request for the domain name. When Responder receives the HTTP request, it forces an authentication.
An unsuspecting user would key in the credentials which the Responder system captures.
MITM Attack detection using the Attivo ThreatDefend Platform™
The Attivo ThreatDefend Platform™ can detect MITM attacks mentioned above. With the Attivo BOTsink® appliance, customers can connect to the network switch trunk port or deploy decoys on every VLAN to gain visibility to all the broadcast and multicast traffic on the network.
The ThreatDefend platform provides detailed visibility of every host in the network and detects attackers performing MITM activity in real-time by using its machine learning algorithms. The detection includes attackers spoofing existing domains, attackers responding to multiple domain names and attackers responding to non existing domains.
For more information on the ThreatDefend Platform™ platform, please visit www.attivonetworks.com.
Additional reading on using Responder to steal credentials abusing multicast protocols
